摘要
随着移动通信的快速发展,通信实体的身份认证日益成为研究人员面临的巨大挑战.在IETF(Internetengineeringtaskforce)的移动IPv6草案中,IPSec(IPsecurity)协议和RR(returnroutability)机制被用于保护相关通信节点之间的通信信令,但解决通信实体身份认证问题的方法存在一定的不足.首先分析了基于证书和基于身份的认证技术的优点和不足.基于证书的认证方法有很好的可扩展性,但PKI(publickeyinfrastructure)的部署和证书的分发代价较高.反之,由于相关节点需要共享一组系统参数,基于身份的认证方法可扩展性差,但克服了基于证书的认证方法的不足.然后,提出一种同时使用上述两种认证方法的混合认证方法.该混合认证方法为实现安全、快速、低成本和可扩展性好的身份认证提供了一种新的思路.最后,将这种混合技术用于改进移动IPv6安全关联的协商过程,并讨论了该技术的安全性.
In the rapidly expanding mobile environment, authenticity of communicating parties is one of the big research challenges and is receiving increasing attention. In the Mobile IPv6 defined by IETF (Intemet engineering task force), IPSec (IP security) protocols and RR (return routability) mechanism are used to protect signaling between related communicating nodes, however, how to realize identity authentication has not been efficiently solved. In this paper, the advantages and disadvantages of two authentication techniques-certificate-based authentication and identity-based authentication are analyzed. The scalability of certificate-based means is excellent, but the deployment of PKI (public key infrastructure) and the distribution of certificates make this method cosily. On the contrary, identity-based method hurdles the deficiency of certificate-based means, nevertheless the scalability suffers from the share of parameters among related nodes. Then an approach of integrating the two methods mentioned above is proposed to realize a secure and fast authentication with low cost and high scalability. Finally, this hybrid technique is applied in Mobile IPv6 to improve the negotiation of SA (security association), and the security issues are discussed.
出处
《软件学报》
EI
CSCD
北大核心
2005年第9期1617-1624,共8页
Journal of Software
